The following updates are now available in the SWAMP at mir-swamp.org!
- The SWAMP now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess.
- We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1.
- GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
- A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
- SWAMP packages can now be generated via an External URL that points to a downloadable archive.
- When a new SWAMP user account is created, a default project called “MyProject” is created automatically. “MyProject” is now viewable in the SWAMP user interface. Users are not able to edit or invite additional members to their “MyProject” projects. All packages users upload to the SWAMP are automatically shared with their “MyProject” project.
- For users who are owners or members of multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project to use when adding new assessments.
- The Build Script for a package version is now displayed on a separate pop-up, accessed by clicking the Show Build Script button. This applies to the Build page for adding new packages, adding a new package version to existing packages, and viewing and editing an existing package version.
- When adding a package or package version for C/C++ or Java Source Code without a build system, users can now specify a “build path” (relative to the package path) that specifies the (non-recursive) directory containing the compilable files to assess. SWAMP now does a better job of informing users about the files that are selected to compile and assess.
- SWAMP now does a better job of informing users about the files that are selected to assess for Ruby, Python, and Web Scripting packages with a build system of “none.”
- The SWAMP Native Results Viewer now correctly displays the primary bug location instead of the first bug located for weaknesses reported by tools that include multiple bug locations.
- The SWAMP discontinued support for the Ubuntu 10.04 assessment platform.
- SWAMP-in-a-Box v1.34 is available.
- General enhancements and bug fixes.
Let us know if you have any questions at firstname.lastname@example.org.